Pwning the proxy

Dino Covotsos

Compromising an internal proxy is easy. If you know what to do. And we’ll show you. Brute force, traffic sniffing, internal network scanning, reverse HTTP, social engineering, phishing – there are many methodologies to choose from. This talk will not only cover various ways of using these processes to compromise an internal proxy, but we’ll explain to you how not to let yourself fall victim to these methods. We will demonstrate various real-life issues, including a release of an undisclosed issue in Squid Analysis Report Generator (SARG) which we used in one of our case studies to compromise a proxy server.